Security Assessment 101: Skip HTTP and just use HTTPS

So you built this awesome business web app. You sold it to your customer and it’s now in production. You’re using SSL which is even configured for best practices. See my previous post on securing SSL. But what happens when a user goes to your web application. It probably redirects them to HTTPS so the user can login over SSL.

Why do that???

That is the question to ask yourself. Why redirect users from HTTP to HTTPS to login. Why not ALWAYS use SSL??? I really do not believe you need HTTP or Port 80 turned on at all for business web applications. Here are my assumptions with Business Web Application:

Most interactions with your site is behind the login page. By most, I really mean like 99%.

The data is sensitive, company proprietary, etc…

You have employee information, financial information, etc…

So in this scenario, there is no real reason to have HTTP bindings setup in IIS for your site. Turn port 80 off on the firewall and only allow Port 443. Don’t even give the hacker a chance to see the traffic over HTTP or an avenue to hack your server over port 80.

But what about the customer???

They won’t know to use HTTPS… For me this is pretty easy answer. When sending the welcome package to your customer, explain to them why you did this and tell them the URL is only accessible over HTTPS. I have been doing this for years and yes we have had a few calls to the help desk. But VERY, VERY few calls.